NetBSD Security Advisory 2004-005: Denial of service vulnerabilities in OpenSSL

From: NetBSD Security-Officer (security-officer_at_netbsd.org)
Date: 04/21/04

  • Next message: SGI Security Coordinator: "Vulnerabilities in long-lived TCP connections on SGI systems" 
    Date: Wed, 21 Apr 2004 14:14:03 -0400
To: bugtraq@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----

                     NetBSD Security Advisory 2004-005
                     =================================

    Topic: Denial of service vulnerabilities in OpenSSL

    Version: NetBSD-current: source prior to March 22, 2004
                    NetBSD 2.0: branch unaffected, release will include the fix
                    NetBSD 1.6.2: affected
                    NetBSD 1.6.1: affected
                    NetBSD 1.6: affected
                    NetBSD 1.5.3: affected
                    NetBSD 1.5.2: affected
                    NetBSD 1.5.1: affected
                    NetBSD 1.5: affected
                    pkgsrc: security/openssl packages prior to 0.9.6m

    Severity: Possible denial of service, depending on the application

    Fixed: NetBSD-current: March 22, 2004
                    NetBSD-1.6 branch: April 2, 2004
                                            (1.6.3 will include the fix)
                    NetBSD-1.5 branch: April 7, 2004
                    pkgsrc: openssl-0.9.6m corrects this issue

    Abstract
    ========

    There are two distinct denial of service vulnerabilities addressed by this
    advisory:

            1. Null-pointer assignment during SSL handshake

            A carefully crafted SSL/TLS handshake against a server which
            uses the OpenSSL library may result in a crash. Depending on how
            the application uses the OpenSSL library, this may result in a
            denial of service.

            2. Out-of-bounds read affects Kerberos ciphersuites

            A second flaw in the SSL/TLS handshake could cause a server
            configured to use the Kerberos ciphersuites to crash if a carefully
            crafted sequence of packets is sent by an attacker.

    Solutions and Workarounds
    =========================

    The following instructions describe how to upgrade your libcrypto and libssl
    libraries by updating your source tree and rebuilding and
    installing a new versions.

    * NetBSD-current:

            Systems running NetBSD-current dated from before 2004-03-22
            should be upgraded to NetBSD-current dated 2004-03-23 or later.

            The following directories need to be updated from the
            netbsd-current CVS branch (aka HEAD):
                    crypto/dist/openssl

            To update from CVS, re-build, and re-install libcrypto and libssl
                    # cd src
                    # cvs update -d -P crypto/dist/openssl

                    # cd lib/libcrypto
                    # make cleandir dependall
                    # make install
                    # cd ../../lib/libssl
                    
                    # make USETOOLS=no cleandir dependall
                    # make USETOOLS=no install

    * NetBSD 1.6, 1.6.1, 1.6.2:

            The binary distribution of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable.

            Systems running NetBSD 1.6 sources dated from before
            2004-04-02 should be upgraded from NetBSD 1.6 sources dated
            2004-04-03 or later.

            NetBSD 1.6.3 will include the fix.

            The following directories need to be updated from the
            netbsd-1-6 CVS branch:
                    crypto/dist/openssl

            To update from CVS, re-build, and re-install libcrypto and libssl

                    # cd src
                    # cvs update -d -P -r netbsd-1-6 crypto/dist/openssl

                    # cd lib/libcrypto
                    # make cleandir dependall
                    # make install
                    # cd ../../lib/libssl

                    # make USETOOLS=no cleandir dependall
                    # make USETOOLS=no install

    * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

            The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.

            Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
            from before 2004-04-07 should be upgraded from NetBSD 1.5.*
            sources dated 2004-04-08 or later.

            The following directories need to be updated from the
            netbsd-1-5 CVS branch:
                    crypto/dist/openssl

            To update from CVS, re-build, and re-install libcrypto and libssl

                    # cd src
                    # cvs update -d -P -r netbsd-1-5 crypto/dist/openssl

                    # cd lib/libcrypto
                    # make cleandir dependall
                    # make install
                    # cd ../../lib/libssl

                    # make cleandir dependall
                    # make install

    Revision History
    ================

            2004-04-21 Initial release

    More Information
    ================

    Advisories may be updated as new information becomes available.
    The most recent version of this advisory (PGP signed) can be found at
      ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-005.txt.asc

    Information about NetBSD and NetBSD security can be found at
    http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

    Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved.
    Redistribution permitted only in full, unmodified form.

    $NetBSD: NetBSD-SA2004-005.txt,v 1.3 2004/04/21 17:34:50 david Exp $

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.3 (NetBSD)

    iQCVAwUBQIax0z5Ru2/4N2IFAQHjFwP7B6JP4OrQsPrCgSYkUxpuw4oQ0n9kOB7J
    rEM+aA9/9nrtbc95vuFhjaiahUop91I9oPxNkKjoflaqNyrtGM18U+um5iCv/cJV
    0aBih+cyv7hWylcxrTwZ35QuxpFOz253mpCPpKDk4YC8zDjvQDDOoCIz+854WdDe
    5MM5tkgTqPU=
    =gjxz
    -----END PGP SIGNATURE-----

  • Next message: SGI Security Coordinator: "Vulnerabilities in long-lived TCP connections on SGI systems"

    Relevant Pages